Linux Kernel SMB Server Handling of Send Completions Without IB_SEND_SIGNALED Vulnerability

A vulnerability has been identified in the Linux kernel's SMB server component, specifically in versions 6.18.x. This issue arises in the 'send_done' function, where the completion of send operations is not properly managed when the 'IB_SEND_SIGNALED' flag is absent. This situation can occur during 'smbdirect_send_batch' processing, leading to potential memory management problems. When a connection is disrupted, all requests are signaled, even if 'IB_SEND_SIGNALED' was not explicitly set, which can cause unintended consequences.

Impact

Exploitation of this vulnerability can lead to memory management issues, such as use-after-free errors, which can potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a batch of requests using the 'smbdirect_send_batch' process without the 'IB_SEND_SIGNALED' flag. If the connection is then broken, all requests will be incorrectly signaled, creating a mismatch in the expected send completion handling.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.